1、使用yum安裝即可,確定安裝的是freeradius2,而不是1。如果以前又freeradius,先卸載
yum remove freeradius
安裝
yum install freeradius2
yum install freeradius2-utils //這個含radtest,使用者測試
預設freeradius是使用files方式認證使用者,如果不使用資料庫,到此安裝就搞定了
2、安裝完成後就修改設定檔。
vi /etc/raddb/users
找到steve,注釋去掉,將steve改成你的使用者名稱。可以建立多個使用者,如下:
dalon Cleartext-Password := "testing"
test Cleartext-Password := "testing123"
3、 測試
可執行檔為 /usr/sbin/radius
/usr/sbin/radius -X //debug模式運行,可以看到詳細過程。
radtest 測試server是否能響應:
radtest test testing localhost 0 testing123
test和testing分別為使用者名稱和密鑰,對於設定檔users裡面的內容。
localhost為設定檔clients.conf中的內容,預設針對localhost密鑰為testing123
0 意思為NAS-PORT 0,預設為0,所以不用配置。見檔案 /etc/raddb/radiusd.conf中配置,如下:
listen {
ipaddr = * //監聽IPV4所有地址
# ipv6addr = ::
port = 0 //nas-port
type = acct
# interface = eth0
# clients = per_socket_clients
}
測試正確的結果如下(下面是測試IPV6):
[root@CentOS ~]# radtest -6 test test123 ::1 0 testing123
Sending Access-Request of id 44 to ::1 port 1812
User-Name = "test"
User-Password = "test123"
NAS-IPv6-Address = ::1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host ::1 port 1812, id=44, length=20
4、將伺服器改成監聽IPV6
需要修改檔案
a) /etc/raddb/radiusd.conf
將兩個listen {}中 ipaddr = * 注掉,ipv6addr = :: 取消注釋
b) /etc/raddb/clients.conf
將localhost中的監聽地址改成ipv6的,如下:
client localhost {
ipv6addr = ::1 # any. ::1 == localhost
建立一組client(下面的例子是3000::/64網段為例,也可以使用::/0):
client 3000::/64 {
secret = testing123
shortname = ipv6client //為區別名,和別的組不一樣即可
}
5. 驗證通過的debug資訊:
rad_recv: Access-Request packet from host 3000::abcd port 60378, id=232, length=45
User-Name = "dalon"
User-Password = "testing"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dalon", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry dalon at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 232 to 3000::abcd port 60378
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 29 ID 232 with timestamp +531
Ready to process requests.
6.在mysql中添加使用者進行測試
mysql;
use radius;
insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','pass123');
exit;
radtest test pass123 127.0.0.1 0 testing123
看到“rad_recv: Access-Accept” 則認證成功。
7.如果授權其他主機訪問radius認證,可以在radius server的clients.conf添加授權
vim /etc/raddb/clients.conf
添加
client 192.168.50.64 {
ipaddr = 192.168.50.64
secret = testing123
}
登入192.168.50.64
yum -y install freeradius-utils
radtest test pass123 192.168.50.65 0 testing123